Doubling Down on 'Card Not Present' Fraud

Betting that the EMV shift will push fraudsters online.

I recall a trip to Sin City earlier this year. Whilst in Vegas, I noticed some strange and quirky bets available, or prop bets as the casinos call them. It got me thinking: What would I bet on in the payments world? The Bitcoin exchange? Probably not, as I’ve missed the best part of that bubble!

I would be willing to bet on an increase in card-not-present (CNP) fraud starting in Q4 2015. Not exactly an original thought, so the odds would be ridiculously short, given the experiences of the UK and other markets following the transition to the EMV (Europay, MasterCard, Visa) standard.

Why bring this up now? When I speak to my non-payment friends about EMV, they have no idea what I am talking about. Even though some retailers seem to be gearing up for EMV, my friends still draw a blank. In the last few months, I have seen more and more retailers with EMV-ready POS terminals. The likes of Costco, Walgreens, and Hy-Vee are all equipped.

However, when I try to use my EMV-enabled card, I get looks of confusion. The general response is, “We aren’t ready to use that,” or “We haven’t been trained yet.” So the lack of awareness amongst my friends is unsurprising.

Yet, they are aware of data breaches and card fraud in general. A recent study conducted by ACI indicated that more than a third of consumers in the US don’t think retailers do enough at physical stores to protect consumers. Conversely, nearly one in five consumers think online retailers don’t do enough to protect their card and account information. Is this differing view of physical and online retailers a result of the brick-and-mortar data breaches in the last two years? Will it change following the implementation of EMV?

The current e-commerce market is worth $430 billion in sales, with year-over-year growth hovering around 12% in the US. The opportunity is ripe and growing for fraudsters to attack the soon-to-be weakest link. After implementing EMV in 2006 (I vividly remember the “I heart Chip & PIN” slogans when I lived in England; it launched on February 14), the UK experienced significant increases in CNP fraud.

So what are the costs in the US today, and what will they be in the future? Industry experts at Aite Group estimate the US suffers from about $2.9 billion in CNP fraud losses today and project that this will rise to $3.8 billion in 2016, the first full year after the EMV liability shift, and $6.4 billion in 2018. With this expected increase in CNP fraud, will in-store retailers be viewed in a more favorable light? Will consumers turn their anger toward… e-commerce retailers? Quite possibly. It will be interesting to see the study results in 2016.

For now, industry players can take preventive action so they avoid becoming victims of CNP fraud and can still be viewed (more) favorably by consumers than their brick-and-mortar competitors. Are retailers, and in particular e-tailers, willing to risk their brands? Does brand equity get factored into cost-benefit analysis when making preventive decisions? If so, what can they do? There are three strategies they can implement with a proper fraud management and transaction monitoring solution to combat the impending rise in CNP fraud and its associated attacks: Detect account takeover, detect new account fraud, and detect the use of stolen financial account data.

Using my proxy of non-payment friends in follow-up conversations, when I explain what EMV is and what it can and can’t do, they get excited about the added layer of security. When I talk about e-commerce and CNP fraud, they seriously consider if they will shop less online. Ultimately, e-commerce retailers will have to implement something or risk revenue loss, customer attrition, and damaged brands resulting in destruction of shareholder value.

Perhaps my wager should be on which e-commerce retailer will not implement an effective strategy and be the first major CNP victim after October 15. Anybody willing to take a bet?

Paul McMeekin is a big believer in the power of payments and how electronic payments can change the world. He currently heads up the business intelligence and market research function at ACI, a large global payment software provider. Previous roles at ACI include product ... View Full Bio

Agreed. It's understandable that banks don't want to inconvenience their customers, but when it comes to security, the customers should really understand that increased security measures are for their own good.

Two-factor authentication should be ubiquitous by now. I think these kinds of major hacks will help grow customer awareness about the need to opt-in for that kind of authentication to better protect themselves. Nobody wants to force their customer to do a second authentication factor because of customer experience concerns. The customers need to be convinced that it's worth it. Obviously a huge need for customer education there.

Now that would be cool! For banking purposes they could use the cip and give out free terminals so you have two factor authentication. Barclays does it in the UK. It'll be interesting to see what happens and which e-tailers are lagging behind.

I woudl think that with all of the cyber fraud news happening right now that they would have to be looking into it. At the very least there has to be another way to verify customers online besides usernames and passwords.